User: Password:
Subscribe / Log in / New account


The Savannah Compromise - what really happened?

January 1, 2004

This article was contributed by Joe 'Zonker' Brockmeier.

2003 hasn't been a banner year for computer security, and that includes Linux. The CVS repository for the Linux kernel was attacked (if clumsily), several servers related to the Debian project were compromised, and the GNU Project's Savannah server was also broken into recently. Since there has been little information published about the nature of the Savannah compromise, we contacted Bradley Kuhn, executive director of the Free Software Foundation for more information.

Kuhn described the Savannah compromise as "almost identical to what happened to Debian." (A detailed account of the Debian compromise can be found here.) Kuhn said that he believes that the Savannah compromise and the Debian attacks were related, and happened at about the same time. However, he said that the project has not put a great deal of time and effort into analyzing the attacks because it was more important to put Savannah back online and to try to harden the system to see to it that a similar compromise doesn't happen again. The hard drives from Savannah have been saved for future reference, but the project is not putting its efforts into thoroughly analyzing the attacks.

For the most part, Savannah has been restored and changes have been made to try to ensure a similar attack will not be possible. However, there are still some features that remain unavailable, including Web CVS access and new projects are not being approved for the time being. According to the Savannah website, new projects will probably be accepted sometime before the end of January, 2004.

Has there been an attempt to insert a trojan into any of the code residing on Savannah? Kuhn says that they've asked the owners of projects on Savannah to go through and verify the code that is on Savannah to be sure that it hasn't been trojaned. So far, there have been no reports of tainted code. However, not all of the projects have reported their status. Kuhn also noted that projects on the Savannah website will soon have an indicator to report whether or not the developers have verified that they have checked the integrity of their software.

We also asked if there was any sensitive information on Savannah that may have been compromised. Kuhn said that the useful information on Savannah mostly consists of the code for the various projects, and that the only other information of interest would be developers' passwords. The passwords on Savannah have been reset, of course, and the developers have been encouraged to "investigate their own personal security."

For now, the GNU Project is not actively pursuing criminal prosecution of the attacker or attackers. Kuhn says that the project is not "ethically opposed" to prosecuting the intruder, but that with limited resources he'd rather divert time and energy to restoring the services and trying to harden systems to make future attacks more difficult and easier to contain.

To that end, the compromise may actually be a good thing in the long run. Kuhn said that they have contacted the CVS maintainers and have offered to pay for development of features that would allow GPG signing of commits through CVS -- making it much more difficult for changes to be inserted unnoticed into code held in a CVS repository. He said that they have also contacted the GNU Arch maintainer about adding GPG signing. Though it may take some time to develop, the addition of GPG signing to commits would be a welcome feature.

Kuhn said that he expects that the future will bring more attacks on the community, as free and open source software become more prevalent. Opponents of the open development model will no doubt be using these events as an illustration of the "dangers" of open source. Though the recent intrusions have mostly been an inconvenience, it's important that the community learn from these attacks, and redouble efforts to prevent them in the future.

Comments (21 posted)

New vulnerabilities

cvs: possible root compromise

Package(s):cvs CVE #(s):CAN-2003-0977
Created:December 29, 2003 Updated:February 13, 2004
Description: Stable CVS 1.11.11 has been released, adding code to the CVS server to prevent it from continuing as root after a user login, as an extra failsafe against a compromise of the CVSROOT/passwd file.
Whitebox WBSA-2004:004-01 CVS 2004-02-12
Fedora-Legacy FLSA:1207 cvs 2004-01-28
Conectiva CLA-2004:808 cvs 2004-01-20
Debian DSA-422-1 cvs 2004-01-13
Red Hat RHSA-2004:003-01 CVS 2004-01-09
Gentoo 200312-08 dev-util/cvs 2003-12-28

Comments (none posted)

fsp: buffer overflow and directory traversal

Package(s):fsp CVE #(s):CAN-2003-1022 CAN-2004-0011
Created:January 7, 2004 Updated:January 7, 2004
Description: fsp suffers from both a buffer overflow vulnerability (which can be exploited to run arbitrary code) and a directory traversal problem.
Debian DSA-416-1 fsp 2004-01-06

Comments (none posted)

jabber: denial of service

Package(s):jabber CVE #(s):CAN-2004-0013
Created:January 7, 2004 Updated:January 26, 2004
Description: A vulnerability was discovered in jabber, an instant messaging server, whereby a bug in the handling of SSL connections could cause the server process to crash, resulting in a denial of service.
Mandrake MDKSA-2004:005 jabber 2004-01-23
Debian DSA-414-1 jabber 2004-01-06

Comments (1 posted)

kernel: two vulnerabilities in 2.4.23

Package(s):kernel CVE #(s):CAN-2003-0984 CAN-2003-0985
Created:January 5, 2004 Updated:January 19, 2004
Description: Paul Starzetz discovered a flaw in bounds checking in mremap() in the Linux kernel versions 2.4.23 and previous which may allow a local attacker to gain root privileges. No exploit is currently available; however, it is believed that this issue is exploitable (although not trivially.) The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0985 to this issue. There is also a minor information leak in the real time clock (rtc) routines. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0984 to this issue. See this advisory for more information.
Debian DSA-427-1 kernel-patch-2.4.17-mips 2004-01-19
SuSE SuSE-SA:2004:003 kernel 2004-01-15
Debian DSA-417-2 kernel-image-2.4.18-1-alpha 2004-01-09
Slackware SSA:2004-008-01 kernel 2004-01-08
Gentoo 200401-01 kernel 2004-01-08
Mandrake MDKSA-2004:001 kernel 2004-01-07
Slackware SSA:2004-006-01 kernel 2004-01-06
Red Hat RHSA-2003:416-01 kernel 2004-01-07
Fedora FEDORA-2003-047 kernel 2004-01-07
Debian DSA-417-1 kernel 2004-01-07
Immunix IMNX-2004-73-001-01 kernel 2004-01-05
SuSE SuSE-SA:2004:001 kernel 2004-01-05
Fedora FEDORA-2003-046 kernel 2004-01-05
Debian DSA-413-1 kernel-source-2.4.18 2004-01-06
Trustix 2004-0001 kernel 2004-01-05
Conectiva CLA-2004:799 kernel 2004-01-05
EnGarde ESA-20040105-001 kernel 2003-01-05
Red Hat RHSA-2003:419-01 kernel 2004-01-05
Red Hat RHSA-2003:418-01 kernel 2004-01-05
Red Hat RHSA-2003:417-01 kernel 2004-01-05

Comments (1 posted)

mpg321: format string vulnerability

Package(s):mpg321 CVE #(s):CAN-2003-0969
Created:January 6, 2004 Updated:March 28, 2005
Description: A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Gentoo 200503-34 mpg321 2005-03-28
Debian DSA-411-1 mpg321 2004-01-05

Comments (none posted)

nd: buffer overflows

Package(s):nd CVE #(s):CAN-2004-0014
Created:January 6, 2004 Updated:January 7, 2004
Description: Multiple vulnerabilities were discovered in nd, a command-line WebDAV interface, whereby long strings received from the remote server could overflow fixed-length buffers. This vulnerability could be exploited by a remote attacker in control of a malicious WebDAV server to execute arbitrary code if the server was accessed by a vulnerable version of nd.
Debian DSA-412-1 nd 2004-01-05

Comments (none posted)

xsok: bad privilege handling

Package(s):xsok CVE #(s):CAN-2003-0949
Created:January 7, 2004 Updated:January 7, 2004
Description: Steve Kemp discovered a problem in xsok, a single player strategy game for X11, related to the Sokoban game, which leads a user to execute arbitrary commands under the GID of games.
Debian DSA-405-1 xsok 2003-12-30

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds